Alerts This Week
Warning Icon 1 916
Alerts This Week
Warning Icon 1 916

Fedora 27 update: libpng10 Denial Of Service advisory for CVE-2018-13785

fedora
Calendar Grey July 29, 2018
Dist Fedora Esm H88
Update for libpng10 addresses integer overflow, preventing denial of service via crafted PNG files in Fedora 27.
Fix for CVE-2018-13785: the libpng10 library was vulnerable to an integer overflow and resultant divide-by-zero in the pngrutil.c:png_check_chunk_length() function

Summary

The libpng10 package contains an old version of libpng, a library of functions

for creating and manipulating PNG (Portable Network Graphics) image format

files.

This package is needed if you want to run binaries that were linked dynamically

with libpng 1.0.x.

Fix for CVE-2018-13785: the libpng10 library was vulnerable to an integer

overflow and resultant divide-by-zero in the

pngrutil.c:png_check_chunk_length() function. An attacker could exploit this to

cause a denial of service via a crafted PNG file.

* Fri Jul 13 2018 Paul Howarth - 1.0.69-5

- Fix the calculation of row_factor in png_check_chunk_length (CVE-2018-13785)

* Fri Jul 13 2018 Fedora Release Engineering - 1.0.69-4

- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

* Wed Feb 14 2018 Paul Howarth - 1.0.69-3

- Avoid use of arch-specific build-requires (#1545195)

* Tue Feb 6 2018 Paul Howarth - 1.0.69-2

- ldconfig scriptlets replaced by RPM File Triggers from Fedora 28

- Make zlib-devel dependencies arch-specific

- Preserve upstream timestamps where possible

[ 1 ] Bug #1599943 - CVE-2018-13785 libpng: Integer overflow and resultant divide-by-zero in pngrutil.c:png_check_chunk_length() allows for denial of service

https://bugzilla.redhat.com/show_bug.cgi?id=1599943

su -c 'dnf upgrade --advisory FEDORA-2018-3e04e9fe54' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F3LEIASEMMWKXWPVVF74A2FRTY4WAMTJ/

Topics%20covered

Topics Covered

security advisory denial of service software update Fedora integer overflow libpng10

Change Log

References

Update Instructions

Severity
critical
Lowest
Low
Medium
High
Critical

Product: Fedora 27
Version: 1.0.69
Release: 5.fc27
URL: http://www.libpng.org/pub/png/libpng.html
Summary: Old version of libpng, needed to run old binaries

Topics%20covered

Topics Covered

security advisory denial of service software update Fedora integer overflow libpng10

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here